Table of Contents
Advertisement
8.0
A
-
BOUT SELF
Self-encrypting drives (SEDs) offer encryption and security services for the protection of stored data, commonly known as
"protection of data at rest." These drives are compliant with the Trusted Computing Group (TCG) Enterprise Storage
Specifications as detailed in Section 2.2.
The Trusted Computing Group (TCG) is an organization sponsored and operated by companies in the computer, storage
and digital communications industry. Seagate's SED models comply with the standards published by the TCG.
To use the security features in the drive, the host must be capable of constructing and issuing the following two SCSI
commands:
• Security Protocol Out
• Security Protocol In
These commands are used to convey the TCG protocol to and from the drive in their command payloads.
8.1
D
ATA ENCRYPTION
Encrypting drives use one inline encryption engine for each port, employing AES-256 data encryption in Cipher Block
Chaining (CBC) mode to encrypt all data prior to being written on the media and to decrypt all data as it is read from the
media. The encryption engines are always in operation and cannot be disabled.
The 32-byte Data Encryption Key (DEK) is a random number which is generated by the drive, never leaves the drive, and is
inaccessible to the host system. The DEK is itself encrypted when it is stored on the media and when it is in volatile
temporary storage (DRAM) external to the encryption engine. A unique data encryption key is used for each of the drive's
possible16 data bands (see Section 8.5).
8.2
C
ONTROLLED ACCESS
The drive has two security providers (SPs) called the "Admin SP" and the "Locking SP." These act as gatekeepers to the
drive security services. Security-related commands will not be accepted unless they also supply the correct credentials to
prove the requester is authorized to perform the command.
8.2.1
Admin SP
The Admin SP allows the drive's owner to enable or disable firmware download operations (see Section 8.4). Access to the
Admin SP is available using the SID (Secure ID) password or the MSID (Manufacturers Secure ID) password.
8.2.2
Locking SP
The Locking SP controls read/write access to the media and the cryptographic erase feature. Access to the Locking SP is
available using the BandMasterX or EraseMaster passwords. Since the drive owner can define up to 16 data bands on the
drive, each data band has its own password called BandMasterX where X is the number of the data band (0 through 15).
8.2.3
Default password
When the drive is shipped from the factory, all passwords are set to the value of MSID. This 32-byte random value can only
be read by the host electronically over the interface. After receipt of the drive, it is the responsibility of the owner to use the
default MSID password as the authority to change all other passwords to unique owner-specified values.
8.3
R
ANDOM NUMBER GENERATOR
The drive has a 32-byte hardware RNG that it is uses to derive encryption keys or, if requested to do so, to provide random
numbers to the host for system use, including using these numbers as Authentication Keys (passwords) for the drive's
Admin and Locking SPs.
8.4
D
RIVE LOCKING
In addition to changing the passwords, as described in Section 8.2.3, the owner should also set the data access controls for
the individual bands.
The variable "LockOnReset" should be set to "PowerCycle" to ensure that the data bands will be locked if power is lost. In
S
10K.6 SAS P
AVVIO
RODUCT
ENCRYPTING DRIVES
(RNG)
M
, R
. C
ANUAL
EV
37
- Quick Links:
- Standard Features
Hide quick links:
Advertisement
Table of Contents
